diff options
author | Andreas Schneider <asn@samba.org> | 2020-08-19 15:46:11 +0200 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2021-04-28 03:43:34 +0000 |
commit | 521f77c6671a0a088dedcdcafd264690c123b0b3 (patch) | |
tree | 5f9dccec89fc63d2112d35e078fc9dad573be05f | |
parent | a00726593c2f3b464e48c22e7a757aa1a06ecff2 (diff) | |
download | samba-521f77c6671a0a088dedcdcafd264690c123b0b3.tar.gz |
auth:creds: Add obtained arg to cli_credentials_set_kerberos_state()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
29 files changed, 126 insertions, 51 deletions
diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c index d851951c9ed..3975fba693f 100644 --- a/auth/credentials/credentials.c +++ b/auth/credentials/credentials.c @@ -44,7 +44,7 @@ _PUBLIC_ struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx) cred->winbind_separator = '\\'; - cred->use_kerberos = CRED_USE_KERBEROS_DESIRED; + cred->kerberos_state = CRED_USE_KERBEROS_DESIRED; cred->signing_state = SMB_SIGNING_DEFAULT; @@ -108,10 +108,18 @@ _PUBLIC_ struct cli_credentials *cli_credentials_init_anon(TALLOC_CTX *mem_ctx) return anon_credentials; } -_PUBLIC_ void cli_credentials_set_kerberos_state(struct cli_credentials *creds, - enum credentials_use_kerberos use_kerberos) +_PUBLIC_ bool cli_credentials_set_kerberos_state(struct cli_credentials *creds, + enum credentials_use_kerberos kerberos_state, + enum credentials_obtained obtained) { - creds->use_kerberos = use_kerberos; + if (obtained >= creds->kerberos_state_obtained) { + creds->kerberos_state = kerberos_state; + creds->kerberos_state_obtained = obtained; + + return true; + } + + return false; } _PUBLIC_ void cli_credentials_set_forced_sasl_mech(struct cli_credentials *creds, @@ -129,7 +137,7 @@ _PUBLIC_ void cli_credentials_set_krb_forwardable(struct cli_credentials *creds, _PUBLIC_ enum credentials_use_kerberos cli_credentials_get_kerberos_state(struct cli_credentials *creds) { - return creds->use_kerberos; + return creds->kerberos_state; } _PUBLIC_ const char *cli_credentials_get_forced_sasl_mech(struct cli_credentials *creds) @@ -982,6 +990,12 @@ _PUBLIC_ void cli_credentials_set_conf(struct cli_credentials *cred, cred->encryption_state = lpcfg_client_smb_encrypt(lp_ctx); cred->encryption_state_obtained = CRED_SMB_CONF; } + + if (cred->kerberos_state_obtained <= CRED_SMB_CONF) { + /* Will be set to default for invalid smb.conf values */ + cred->kerberos_state = lpcfg_client_use_kerberos(lp_ctx); + cred->kerberos_state_obtained = CRED_SMB_CONF; + } } /** @@ -1105,7 +1119,9 @@ _PUBLIC_ void cli_credentials_set_anonymous(struct cli_credentials *cred) cli_credentials_set_principal(cred, NULL, CRED_SPECIFIED); cli_credentials_set_realm(cred, NULL, CRED_SPECIFIED); cli_credentials_set_workstation(cred, "", CRED_UNINITIALISED); - cli_credentials_set_kerberos_state(cred, CRED_USE_KERBEROS_DISABLED); + cli_credentials_set_kerberos_state(cred, + CRED_USE_KERBEROS_DISABLED, + CRED_SPECIFIED); } /** @@ -1592,8 +1608,9 @@ _PUBLIC_ void cli_credentials_dump(struct cli_credentials *creds) creds->self_service); DBG_ERR(" Target service: %s\n", creds->target_service); - DBG_ERR(" Kerberos state: %s\n", - krb5_state_to_str(creds->use_kerberos)); + DBG_ERR(" Kerberos state: %s - %s\n", + krb5_state_to_str(creds->kerberos_state), + obtained_to_str(creds->kerberos_state_obtained)); DBG_ERR(" Kerberos forwardable ticket: %s\n", krb5_fwd_to_str(creds->krb_forwardable)); DBG_ERR(" Signing state: %s - %s\n", diff --git a/auth/credentials/credentials.h b/auth/credentials/credentials.h index 1802e383594..bcbe012ec12 100644 --- a/auth/credentials/credentials.h +++ b/auth/credentials/credentials.h @@ -132,8 +132,9 @@ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred, const char **error_string); void cli_credentials_set_forced_sasl_mech(struct cli_credentials *creds, const char *sasl_mech); -void cli_credentials_set_kerberos_state(struct cli_credentials *creds, - enum credentials_use_kerberos use_kerberos); +bool cli_credentials_set_kerberos_state(struct cli_credentials *creds, + enum credentials_use_kerberos kerberos_state, + enum credentials_obtained obtained); void cli_credentials_set_krb_forwardable(struct cli_credentials *creds, enum credentials_krb_forwardable krb_forwardable); bool cli_credentials_set_domain(struct cli_credentials *cred, diff --git a/auth/credentials/credentials_internal.h b/auth/credentials/credentials_internal.h index 3b86b742448..d39ead3b379 100644 --- a/auth/credentials/credentials_internal.h +++ b/auth/credentials/credentials_internal.h @@ -40,6 +40,7 @@ struct cli_credentials { enum credentials_obtained signing_state_obtained; enum credentials_obtained ipc_signing_state_obtained; enum credentials_obtained encryption_state_obtained; + enum credentials_obtained kerberos_state_obtained; /* Threshold values (essentially a MAX() over a number of the * above) for the ccache and GSS credentials, to ensure we @@ -101,7 +102,7 @@ struct cli_credentials { bool machine_account; /* Should we be trying to use kerberos? */ - enum credentials_use_kerberos use_kerberos; + enum credentials_use_kerberos kerberos_state; /* Should we get a forwardable ticket? */ enum credentials_krb_forwardable krb_forwardable; diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c index d7b1c430841..c03d80ac440 100644 --- a/auth/credentials/credentials_krb5.c +++ b/auth/credentials/credentials_krb5.c @@ -1433,7 +1433,9 @@ _PUBLIC_ void cli_credentials_set_impersonate_principal(struct cli_credentials * cred->impersonate_principal = talloc_strdup(cred, principal); talloc_free(cred->self_service); cred->self_service = talloc_strdup(cred, self_service); - cli_credentials_set_kerberos_state(cred, CRED_USE_KERBEROS_REQUIRED); + cli_credentials_set_kerberos_state(cred, + CRED_USE_KERBEROS_REQUIRED, + CRED_SPECIFIED); } /* diff --git a/auth/credentials/credentials_ntlm.c b/auth/credentials/credentials_ntlm.c index 1bec60e5dce..49505f64315 100644 --- a/auth/credentials/credentials_ntlm.c +++ b/auth/credentials/credentials_ntlm.c @@ -53,7 +53,7 @@ _PUBLIC_ NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred const struct samr_Password *nt_hash = NULL; int rc; - if (cred->use_kerberos == CRED_USE_KERBEROS_REQUIRED) { + if (cred->kerberos_state == CRED_USE_KERBEROS_REQUIRED) { TALLOC_FREE(frame); return NT_STATUS_INVALID_PARAMETER_MIX; } diff --git a/auth/credentials/credentials_secrets.c b/auth/credentials/credentials_secrets.c index 58067a5bece..ab2c9ddeef9 100644 --- a/auth/credentials/credentials_secrets.c +++ b/auth/credentials/credentials_secrets.c @@ -391,7 +391,9 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account_db_ctx(struct cli_credenti break; } } - cli_credentials_set_kerberos_state(cred, use_kerberos); + cli_credentials_set_kerberos_state(cred, + use_kerberos, + CRED_SPECIFIED); cli_credentials_set_username(cred, machine_account, CRED_SPECIFIED); cli_credentials_set_password_last_changed_time(cred, secrets_tdb_lct); cli_credentials_set_secure_channel_type(cred, secrets_tdb_secure_channel_type); diff --git a/auth/credentials/pycredentials.c b/auth/credentials/pycredentials.c index 4c9ad0bde44..127085f4950 100644 --- a/auth/credentials/pycredentials.c +++ b/auth/credentials/pycredentials.c @@ -569,7 +569,7 @@ static PyObject *py_creds_set_kerberos_state(PyObject *self, PyObject *args) if (!PyArg_ParseTuple(args, "i", &state)) return NULL; - cli_credentials_set_kerberos_state(creds, state); + cli_credentials_set_kerberos_state(creds, state, CRED_SPECIFIED); Py_RETURN_NONE; } diff --git a/auth/credentials/tests/simple.c b/auth/credentials/tests/simple.c index b39d7a2251b..32a9ca7c533 100644 --- a/auth/credentials/tests/simple.c +++ b/auth/credentials/tests/simple.c @@ -73,7 +73,9 @@ static bool test_guess(struct torture_context *tctx) const char *passwd_fd = getenv("PASSWD_FD"); const char *passwd_file = getenv("PASSWD_FILE"); - cli_credentials_set_kerberos_state(creds, CRED_USE_KERBEROS_REQUIRED); + cli_credentials_set_kerberos_state(creds, + CRED_USE_KERBEROS_REQUIRED, + CRED_SPECIFIED); unsetenv("USER"); unsetenv("PASSWD_FD"); @@ -98,7 +100,9 @@ static bool test_guess(struct torture_context *tctx) if (passwd_file != NULL) { setenv("PASSWD_FILE", passwd_file, 1); } - cli_credentials_set_kerberos_state(creds, old_kerb_state); + cli_credentials_set_kerberos_state(creds, + old_kerb_state, + CRED_SPECIFIED); return true; } diff --git a/examples/winexe/winexe.c b/examples/winexe/winexe.c index 529858ccbb8..bcf1212874b 100644 --- a/examples/winexe/winexe.c +++ b/examples/winexe/winexe.c @@ -284,7 +284,8 @@ static void parse_args(int argc, const char *argv[], cli_credentials_set_kerberos_state(cred, strcmp(opt_kerberos, "yes") ? CRED_USE_KERBEROS_REQUIRED - : CRED_USE_KERBEROS_DISABLED); + : CRED_USE_KERBEROS_DISABLED, + CRED_SPECIFIED); } if (options->runas == NULL && options->runas_file != NULL) { diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c index e4ff2b7dedc..ebb1f19bd54 100644 --- a/source3/auth/auth_generic.c +++ b/source3/auth/auth_generic.c @@ -349,9 +349,13 @@ NTSTATUS auth_generic_prepare(TALLOC_CTX *mem_ctx, cli_credentials_set_conf(server_credentials, lp_ctx); if (lp_security() == SEC_ADS || USE_KERBEROS_KEYTAB) { - cli_credentials_set_kerberos_state(server_credentials, CRED_USE_KERBEROS_DESIRED); + cli_credentials_set_kerberos_state(server_credentials, + CRED_USE_KERBEROS_DESIRED, + CRED_SPECIFIED); } else { - cli_credentials_set_kerberos_state(server_credentials, CRED_USE_KERBEROS_DISABLED); + cli_credentials_set_kerberos_state(server_credentials, + CRED_USE_KERBEROS_DISABLED, + CRED_SPECIFIED); } nt_status = gensec_server_start(tmp_ctx, gensec_settings, diff --git a/source3/lib/netapi/cm.c b/source3/lib/netapi/cm.c index d6b7c868c22..c54f955d617 100644 --- a/source3/lib/netapi/cm.c +++ b/source3/lib/netapi/cm.c @@ -105,7 +105,9 @@ static WERROR libnetapi_open_ipc_connection(struct libnetapi_ctx *ctx, if (username != NULL && username[0] != '\0' && password != NULL && password[0] != '\0' && krb5_state == CRED_USE_KERBEROS_REQUIRED) { - cli_credentials_set_kerberos_state(ctx->creds, CRED_USE_KERBEROS_DESIRED); + cli_credentials_set_kerberos_state(ctx->creds, + CRED_USE_KERBEROS_DESIRED, + CRED_SPECIFIED); } status = cli_cm_open(ctx, NULL, diff --git a/source3/lib/netapi/netapi.c b/source3/lib/netapi/netapi.c index a56651d100f..56e26c83fa4 100644 --- a/source3/lib/netapi/netapi.c +++ b/source3/lib/netapi/netapi.c @@ -342,7 +342,8 @@ NET_API_STATUS libnetapi_set_creds(struct libnetapi_ctx *ctx, NET_API_STATUS libnetapi_set_use_kerberos(struct libnetapi_ctx *ctx) { cli_credentials_set_kerberos_state(ctx->creds, - CRED_USE_KERBEROS_REQUIRED); + CRED_USE_KERBEROS_REQUIRED, + CRED_SPECIFIED); return NET_API_STATUS_SUCCESS; } diff --git a/source3/lib/util_cmdline.c b/source3/lib/util_cmdline.c index d2af34ee19b..5374a29a514 100644 --- a/source3/lib/util_cmdline.c +++ b/source3/lib/util_cmdline.c @@ -312,7 +312,9 @@ void set_cmdline_auth_info_use_kerberos(struct user_auth_info *auth_info, krb5_state = CRED_USE_KERBEROS_DISABLED; } - cli_credentials_set_kerberos_state(auth_info->creds, krb5_state); + cli_credentials_set_kerberos_state(auth_info->creds, + krb5_state, + CRED_SPECIFIED); } bool get_cmdline_auth_info_use_kerberos(const struct user_auth_info *auth_info) @@ -351,7 +353,9 @@ void set_cmdline_auth_info_fallback_after_kerberos(struct user_auth_info *auth_i break; } - cli_credentials_set_kerberos_state(auth_info->creds, krb5_state); + cli_credentials_set_kerberos_state(auth_info->creds, + krb5_state, + CRED_SPECIFIED); } bool get_cmdline_auth_info_fallback_after_kerberos(const struct user_auth_info *auth_info) diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c index 90ffa040ec0..60fa2bf80cb 100644 --- a/source3/libads/sasl.c +++ b/source3/libads/sasl.c @@ -163,7 +163,8 @@ static ADS_STATUS ads_sasl_spnego_gensec_bind(ADS_STRUCT *ads, } cli_credentials_set_kerberos_state(auth_generic_state->credentials, - krb5_state); + krb5_state, + CRED_SPECIFIED); if (target_service != NULL) { nt_status = gensec_set_target_service( diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c index bd3aeec9434..fb28fa44dfe 100644 --- a/source3/libnet/libnet_join.c +++ b/source3/libnet/libnet_join.c @@ -1707,7 +1707,8 @@ NTSTATUS libnet_join_ok(struct messaging_context *msg_ctx, if (use_kerberos) { cli_credentials_set_kerberos_state(cli_creds, - CRED_USE_KERBEROS_REQUIRED); + CRED_USE_KERBEROS_REQUIRED, + CRED_SPECIFIED); } status = cli_full_connection_creds(&cli, NULL, diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index b95b14b018c..b13e43f9801 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -123,13 +123,16 @@ struct cli_credentials *cli_session_creds_init(TALLOC_CTX *mem_ctx, if (use_kerberos && fallback_after_kerberos) { cli_credentials_set_kerberos_state(creds, - CRED_USE_KERBEROS_DESIRED); + CRED_USE_KERBEROS_DESIRED, + CRED_SPECIFIED); } else if (use_kerberos) { cli_credentials_set_kerberos_state(creds, - CRED_USE_KERBEROS_REQUIRED); + CRED_USE_KERBEROS_REQUIRED, + CRED_SPECIFIED); } else { cli_credentials_set_kerberos_state(creds, - CRED_USE_KERBEROS_DISABLED); + CRED_USE_KERBEROS_DISABLED, + CRED_SPECIFIED); } if (use_ccache) { diff --git a/source3/passdb/passdb.c b/source3/passdb/passdb.c index f4cbbe6c06e..73fcb3da308 100644 --- a/source3/passdb/passdb.c +++ b/source3/passdb/passdb.c @@ -2683,7 +2683,9 @@ NTSTATUS pdb_get_trust_credentials(const char *netbios_domain, /* * It's not possible to use NTLMSSP with a domain trust account. */ - cli_credentials_set_kerberos_state(creds, CRED_USE_KERBEROS_REQUIRED); + cli_credentials_set_kerberos_state(creds, + CRED_USE_KERBEROS_REQUIRED, + CRED_SPECIFIED); } else { /* * We can't use kerberos against an NT4 domain. @@ -2691,7 +2693,9 @@ NTSTATUS pdb_get_trust_credentials(const char *netbios_domain, * We should have a mode that also disallows NTLMSSP here, * as only NETLOGON SCHANNEL is possible. */ - cli_credentials_set_kerberos_state(creds, CRED_USE_KERBEROS_DISABLED); + cli_credentials_set_kerberos_state(creds, + CRED_USE_KERBEROS_DISABLED, + CRED_SPECIFIED); } ok = cli_credentials_set_username(creds, account_name, CRED_SPECIFIED); @@ -2709,7 +2713,9 @@ NTSTATUS pdb_get_trust_credentials(const char *netbios_domain, /* * We currently can't do kerberos just with an NTHASH. */ - cli_credentials_set_kerberos_state(creds, CRED_USE_KERBEROS_DISABLED); + cli_credentials_set_kerberos_state(creds, + CRED_USE_KERBEROS_DISABLED, + CRED_SPECIFIED); goto done; } diff --git a/source3/passdb/pdb_samba_dsdb.c b/source3/passdb/pdb_samba_dsdb.c index 9d1fcf8bd42..4f1d2f697f0 100644 --- a/source3/passdb/pdb_samba_dsdb.c +++ b/source3/passdb/pdb_samba_dsdb.c @@ -2518,13 +2518,15 @@ static NTSTATUS pdb_samba_dsdb_get_trusteddom_creds(struct pdb_methods *m, * Force kerberos if this is an active directory domain */ cli_credentials_set_kerberos_state(creds, - CRED_USE_KERBEROS_REQUIRED); + CRED_USE_KERBEROS_REQUIRED, + CRED_SPECIFIED); } else { /* * TODO: we should allow krb5 with the raw nt hash. */ cli_credentials_set_kerberos_state(creds, - CRED_USE_KERBEROS_DISABLED); + CRED_USE_KERBEROS_DISABLED, + CRED_SPECIFIED); } *_creds = talloc_move(mem_ctx, &creds); diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c index 4d6f5845062..4ed74ae52b0 100644 --- a/source3/rpc_client/cli_pipe.c +++ b/source3/rpc_client/cli_pipe.c @@ -2569,7 +2569,9 @@ static NTSTATUS rpccli_generic_bind_data(TALLOC_CTX *mem_ctx, goto fail; } - cli_credentials_set_kerberos_state(auth_generic_ctx->credentials, use_kerberos); + cli_credentials_set_kerberos_state(auth_generic_ctx->credentials, + use_kerberos, + CRED_SPECIFIED); cli_credentials_set_netlogon_creds(auth_generic_ctx->credentials, creds); status = auth_generic_client_start_by_authtype(auth_generic_ctx, auth_type, auth_level); diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c index 2939145d594..8b59fb87c67 100644 --- a/source3/rpcclient/rpcclient.c +++ b/source3/rpcclient/rpcclient.c @@ -911,8 +911,9 @@ static NTSTATUS do_cmd(struct cli_state *cli, case DCERPC_AUTH_TYPE_SPNEGO: case DCERPC_AUTH_TYPE_NTLMSSP: case DCERPC_AUTH_TYPE_KRB5: - cli_credentials_set_kerberos_state( - creds, krb5_state); + cli_credentials_set_kerberos_state(creds, + krb5_state, + CRED_SPECIFIED); ntresult = cli_rpc_pipe_open_with_creds( cli, cmd_entry->table, diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c index 5300dfbef80..fbafa51cbb8 100644 --- a/source3/utils/net_ads.c +++ b/source3/utils/net_ads.c @@ -2478,7 +2478,9 @@ static int net_ads_printer_publish(struct net_context *c, int argc, const char * talloc_destroy(mem_ctx); return -1; } - cli_credentials_set_kerberos_state(creds, CRED_USE_KERBEROS_REQUIRED); + cli_credentials_set_kerberos_state(creds, + CRED_USE_KERBEROS_REQUIRED, + CRED_SPECIFIED); nt_status = cli_full_connection_creds(&cli, lp_netbios_name(), servername, &server_ss, 0, diff --git a/source3/utils/net_util.c b/source3/utils/net_util.c index 7383d593f53..5747bfa581a 100644 --- a/source3/utils/net_util.c +++ b/source3/utils/net_util.c @@ -499,13 +499,16 @@ struct cli_credentials *net_context_creds(struct net_context *c, if (c->opt_kerberos && c->opt_user_specified) { cli_credentials_set_kerberos_state(creds, - CRED_USE_KERBEROS_DESIRED); + CRED_USE_KERBEROS_DESIRED, + CRED_SPECIFIED); } else if (c->opt_kerberos) { cli_credentials_set_kerberos_state(creds, - CRED_USE_KERBEROS_REQUIRED); + CRED_USE_KERBEROS_REQUIRED, + CRED_SPECIFIED); } else { cli_credentials_set_kerberos_state(creds, - CRED_USE_KERBEROS_DISABLED); + CRED_USE_KERBEROS_DISABLED, + CRED_SPECIFIED); } if (c->opt_ccache) { diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c index 0370803167f..d833ee90b35 100644 --- a/source3/utils/ntlm_auth.c +++ b/source3/utils/ntlm_auth.c @@ -1365,9 +1365,13 @@ static NTSTATUS ntlm_auth_prepare_gensec_server(TALLOC_CTX *mem_ctx, cli_credentials_set_conf(server_credentials, lp_ctx); if (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC || lp_security() == SEC_ADS || USE_KERBEROS_KEYTAB) { - cli_credentials_set_kerberos_state(server_credentials, CRED_USE_KERBEROS_DESIRED); + cli_credentials_set_kerberos_state(server_credentials, + CRED_USE_KERBEROS_DESIRED, + CRED_SPECIFIED); } else { - cli_credentials_set_kerberos_state(server_credentials, CRED_USE_KERBEROS_DISABLED); + cli_credentials_set_kerberos_state(server_credentials, + CRED_USE_KERBEROS_DISABLED, + CRED_SPECIFIED); } nt_status = gensec_server_start(tmp_ctx, gensec_settings, diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c index 431916a82a3..df785a0ba62 100644 --- a/source3/winbindd/winbindd_cm.c +++ b/source3/winbindd/winbindd_cm.c @@ -708,7 +708,9 @@ static NTSTATUS cm_get_ipc_credentials(TALLOC_CTX *mem_ctx, } cli_credentials_set_conf(creds, lp_ctx); - cli_credentials_set_kerberos_state(creds, CRED_USE_KERBEROS_DISABLED); + cli_credentials_set_kerberos_state(creds, + CRED_USE_KERBEROS_DISABLED, + CRED_SPECIFIED); ok = cli_credentials_set_domain(creds, netbios_domain, CRED_SPECIFIED); if (!ok) { diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c index 16520004415..9adc477a15c 100644 --- a/source4/auth/gensec/gensec_gssapi.c +++ b/source4/auth/gensec/gensec_gssapi.c @@ -1557,7 +1557,9 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi } /* This credential handle isn't useful for password authentication, so ensure nobody tries to do that */ - cli_credentials_set_kerberos_state(session_info->credentials, CRED_USE_KERBEROS_REQUIRED); + cli_credentials_set_kerberos_state(session_info->credentials, + CRED_USE_KERBEROS_REQUIRED, + CRED_SPECIFIED); /* It has been taken from this place... */ gensec_gssapi_state->delegated_cred_handle = GSS_C_NO_CREDENTIAL; diff --git a/source4/auth/session.c b/source4/auth/session.c index 8e44dcd24f1..e6b6653bb1d 100644 --- a/source4/auth/session.c +++ b/source4/auth/session.c @@ -295,7 +295,8 @@ struct auth_session_info *auth_session_info_from_transport(TALLOC_CTX *mem_ctx, /* This credential handle isn't useful for password * authentication, so ensure nobody tries to do that */ cli_credentials_set_kerberos_state(creds, - CRED_USE_KERBEROS_REQUIRED); + CRED_USE_KERBEROS_REQUIRED, + CRED_SPECIFIED); } #endif diff --git a/source4/lib/cmdline/popt_credentials.c b/source4/lib/cmdline/popt_credentials.c index 694b6ef8b95..552e68b7eeb 100644 --- a/source4/lib/cmdline/popt_credentials.c +++ b/source4/lib/cmdline/popt_credentials.c @@ -121,7 +121,8 @@ static void popt_common_credentials_callback(poptContext con, popt_get_cmdline_credentials(), use_kerberos ? CRED_USE_KERBEROS_REQUIRED - : CRED_USE_KERBEROS_DISABLED); + : CRED_USE_KERBEROS_DISABLED, + CRED_SPECIFIED); break; } diff --git a/source4/torture/ldap/session_expiry.c b/source4/torture/ldap/session_expiry.c index e5e38450745..ecb722fc4b8 100644 --- a/source4/torture/ldap/session_expiry.c +++ b/source4/torture/ldap/session_expiry.c @@ -54,8 +54,9 @@ bool torture_ldap_session_expiry(struct torture_context *torture) torture_assert_goto( torture, url!=NULL, ret, fail, "talloc_asprintf failed"); - cli_credentials_set_kerberos_state( - credentials, CRED_USE_KERBEROS_REQUIRED); + cli_credentials_set_kerberos_state(credentials, + CRED_USE_KERBEROS_REQUIRED, + CRED_SPECIFIED); ok = lpcfg_set_option( torture->lp_ctx, "gensec_gssapi:requested_life_time=4"); diff --git a/source4/torture/rpc/schannel.c b/source4/torture/rpc/schannel.c index a5755041040..2c708dc806f 100644 --- a/source4/torture/rpc/schannel.c +++ b/source4/torture/rpc/schannel.c @@ -965,8 +965,12 @@ bool torture_rpc_schannel_bench1(struct torture_context *torture) torture_assert(torture, s->join_ctx2 != NULL, "Failed to join domain with acct_flags=ACB_WSTRUST"); - cli_credentials_set_kerberos_state(s->wks_creds1, CRED_USE_KERBEROS_DISABLED); - cli_credentials_set_kerberos_state(s->wks_creds2, CRED_USE_KERBEROS_DISABLED); + cli_credentials_set_kerberos_state(s->wks_creds1, + CRED_USE_KERBEROS_DISABLED, + CRED_SPECIFIED); + cli_credentials_set_kerberos_state(s->wks_creds2, + CRED_USE_KERBEROS_DISABLED, + CRED_SPECIFIED); for (i=0; i < s->nprocs; i++) { struct cli_credentials *wks = s->wks_creds1; |